Adding Olaf's Threat Hunting App. Fixes. Updates.
This commit is contained in:
Chris Long
@@ -1,17 +1,17 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIICnjCCAYYCCQD3m5L/nC/akjANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
|
||||
b2xpZGUwHhcNMTcxMTAxMjAxMDIxWhcNMTgxMTAxMjAxMDIxWjARMQ8wDQYDVQQD
|
||||
DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDahfD8pVJN
|
||||
KSdE+GoYIPsteyHvyQXXGcCIlrt+EFI5TXKBcHE8Vyyi1xw7hTpGKA3DGbLBf43E
|
||||
j26w7NS0hGhbJHwjx5EBujWhDskbH8GTzhQllVoYOOwuU85MWiISQOAWhaytIFYg
|
||||
6wnBaA0EtNEOeYPD1J5t1Bt4k9pwS+ATJxAag9BSesMdmU6Uz2zCxSavsDMGepiv
|
||||
kaOAzT4Bhy3aVhq56mNayLT2fCdmyEyKlou9gUzteY0dp010ZNfqyxgcsnhogUij
|
||||
6LaEsVzsxDRH7HFPtCeGBb8CjnnPhMbAU9nzhn+9EEtiIUvN0Dl0G/DmgziTpKgD
|
||||
EEmddbqEK6g9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBALVH183jm9WeKXd3Uhqn
|
||||
jyOZ8H4+RhaADm4rkABmVHUAIoqLQOfpnTuvcp/eiAAUBNaRk8B5T+yWosx+IP4u
|
||||
SUoRR949zdn5kd/BkoHE5rcJh169goJlKLtKGXkPyCRgcakXC/kDSZtWrIyw/vYu
|
||||
6WYjScDLiEDlgVQQuEdI3S5lDm9D0UMvCmiVsUyWYcTic2WgO9vaOErWS5UQMaPV
|
||||
crzxIJKxd1eK0++gdyiwWwakWBtHpDQnpjamfFBqltvXKdpY1cIVJsyXROlZ6xNk
|
||||
NqbzMLDLt/4zvGjG88zrpwqU2egigX2VkAgOMa8BEnnkvZMuCcgoYkCXbY3CXsts
|
||||
YOM=
|
||||
MIICnjCCAYYCCQCwK8/9PtNo1TANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZr
|
||||
b2xpZGUwHhcNMTgxMjExMDg0NjUxWhcNMjEwOTA2MDg0NjUxWjARMQ8wDQYDVQQD
|
||||
DAZrb2xpZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDO6RiMkjD1
|
||||
LJmcTR3oiUXrN4Kz+2KWCm3RrM6UanxhmVG12DrX1VPzsFkmzPdc74LKVUqPFJfV
|
||||
oAt3U2RQ4oPmMdS9yuvYz9NprbZ8Qe+Toue5reUqyDU9RQhoiYMuCvIdoOS35Zg4
|
||||
gHrP8fMkDNLSE3egqHNxtQ0lCTHiIOB3+Lr2MDiuSLP2WM+JLc7tt95Vg4zAU0VG
|
||||
38Q/SfET3OhCUIOu2OR/XlpqbKORRHqrc7/0wzuZGxSsw+bei8d/OOfKdvL3WhFd
|
||||
35F0OduEa0PGphKt0ePT6R2NtjtGg5GIQ3QhC222qAeYXLOOeNIS2RB42h6rr/Fr
|
||||
vXUl/Gj4HGxNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJu06ushu+H4gBzH65pR
|
||||
caBkH7OKbmOUxmVwkZMmHGaTWnHvUmvSNaR70466Sd25YHn1MyNmi3rI0h2LwUjU
|
||||
wEXoDbQRUpbKrF410L114D5g5lZ78eMRXN5ItzJluGVHOpdBWCJslpvoksW7ovPD
|
||||
awbD2hPNDIOAjVTXC3fgyEST+VSLripjhg6yhgZWVYRNgfcjDl3IG3AIg3Gpr7mu
|
||||
ClqTYP27vL4EYTIp+waYhYIc/CEI/lao7/X++5Gp2bJsMscFuSfJDJ3kLvbCebyL
|
||||
1GSnkKbtokUFqsDWnG9IoodHCSL/lj8fhTeXJZsi5Zky9yZC7BiIKmGn5/vcOTO6
|
||||
oDs=
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
@@ -1,27 +1,27 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEowIBAAKCAQEA2oXw/KVSTSknRPhqGCD7LXsh78kF1xnAiJa7fhBSOU1ygXBx
|
||||
PFcsotccO4U6RigNwxmywX+NxI9usOzUtIRoWyR8I8eRAbo1oQ7JGx/Bk84UJZVa
|
||||
GDjsLlPOTFoiEkDgFoWsrSBWIOsJwWgNBLTRDnmDw9SebdQbeJPacEvgEycQGoPQ
|
||||
UnrDHZlOlM9swsUmr7AzBnqYr5GjgM0+AYct2lYauepjWsi09nwnZshMipaLvYFM
|
||||
7XmNHadNdGTX6ssYHLJ4aIFIo+i2hLFc7MQ0R+xxT7QnhgW/Ao55z4TGwFPZ84Z/
|
||||
vRBLYiFLzdA5dBvw5oM4k6SoAxBJnXW6hCuoPQIDAQABAoIBAGaidD5lc5NUGeKV
|
||||
/laY3wBMjfLuarTNnpVInoUmK0hIrNhItJaPpyJQgC0gdO9Qjq4s2r1xKGfCqk2k
|
||||
3n5ulgkAyOGRMPUrvVaI+EGqF6RRLTs9u5QW4C8eI43O46PJHrbVT/X8cxeA7RMO
|
||||
yNaGCo6O2ilXKpYRAloOr5EAwhyb5OeNrxe/XkngzU2/Sy/XPqqa/gUZGReJzEW1
|
||||
/M/iJULNSo2smKftdzDkiSVxH4x5En3q/ri7EUs6NMJZ9V7mUI7LJABeDOBYNta6
|
||||
e43b9f6sVfoecFU71FmrXx6QUvUJATNUPEqCwQqp4LfmUrv/Rnty/d39ktQqkpkV
|
||||
u4CQ700CgYEA9c6WoE7sK+M4ySmnc08ol0RxoUX4gp9oHbIUe+8fN4al6uLawvc1
|
||||
zgPjsev9kMGsw9Ejm2ID+PcuyQirJcE+MkT6Jdj6S39hE0umnFfxytF8vssqVcrG
|
||||
bSWS3fLgQ+5k7/IbWFJiQxRW7Y/4qjlOqeHE9tAbPMUyH+viT6nu6w8CgYEA45W3
|
||||
fSHVrr72h7WettUwb/dJLSjIj7MbMcMGrq2bStwHkZikXr1tgBtxFBTiOoc2p1JK
|
||||
+bII0cilAyobp1wk6spOt501QeciYxnCgHBuenC4TDmzPdgwQvBOHQoMe8oS/ZBd
|
||||
SwGpuEBCfBnODnDrWNgAye9rxV1pAXwUTns45/MCgYEAqhLbs2WIEUGxS7ZvbuAp
|
||||
ZKhturlwHejvoARUGgA0aDXY3PFDjbyAVN/qDnQLSLpIsGAnM96Ygw18KIq/6GqR
|
||||
fzSso71CSTSEVVZ1nB1ZZgyWNGjcDOo1atWhjcH7m+T5n++zLeQqquEK2GpSEm1+
|
||||
WRqmLmOFRQHoEaAjQR2B+s8CgYBe5WvISpZuMgRcHBgdBpIW7dbedLYEbVt2iWq8
|
||||
5XjuYwbo5+wJ8RS6qTaid/7JBt58MG1A5sKUrwRXaHR1eY+PM2JVX8D4ROdqyS/4
|
||||
HGmEtoGyjxC1RfMBxm/b3ffMmjsG7e5ouz3IrUrLsnrgPKd1uUPC8AlRF50UWGej
|
||||
PfBBjwKBgDqk/kpJ7aYfJB/lB5F+v+V1YucNyCgxj6cQ/aiBxOq3pN7wi8/vra2K
|
||||
/cGiz4JWrSS3PeUmiu7eCsYbItxyi1yjNOcfI1/gJTjm8Mgoh7WT39a8IfPefsLD
|
||||
MpJ3ISw+VcV1Vcr8g7/LsZZNfRcTVEZbCWSdPH69KgdDn8vLU1O0
|
||||
MIIEowIBAAKCAQEAzukYjJIw9SyZnE0d6IlF6zeCs/tilgpt0azOlGp8YZlRtdg6
|
||||
19VT87BZJsz3XO+CylVKjxSX1aALd1NkUOKD5jHUvcrr2M/Taa22fEHvk6Lnua3l
|
||||
Ksg1PUUIaImDLgryHaDkt+WYOIB6z/HzJAzS0hN3oKhzcbUNJQkx4iDgd/i69jA4
|
||||
rkiz9ljPiS3O7bfeVYOMwFNFRt/EP0nxE9zoQlCDrtjkf15aamyjkUR6q3O/9MM7
|
||||
mRsUrMPm3ovHfzjnynby91oRXd+RdDnbhGtDxqYSrdHj0+kdjbY7RoORiEN0IQtt
|
||||
tqgHmFyzjnjSEtkQeNoeq6/xa711Jfxo+BxsTQIDAQABAoIBACil/G+pTLrtzyO4
|
||||
trZ3OWgzWJcZPM3zMI3voAniPZtC7p2F5FGAlGSccXdA7xuv5gbv6JzhU87hCT+g
|
||||
/2Uwiu8PPRcoJVtLwOHTAbW5kmJzr4h31DyqZmMqC7PVyBKkjdoqQKSsE1KOUxJF
|
||||
Gxoq9sPUlTzXuw5Mnk93Vfhxswd+WFaajrwnZWV+nWG436Y6QtrP241E5AS+SrPo
|
||||
CoaiXPNsvJjdGlF6yRYyUCYlZKQItPXjGgTI+TC3gfiZHwv6y86ylBHT5uObIDeu
|
||||
hvc1pVOf73vPLrpwvqmY/6y+RLzMqPByyuas/8V/RrZScDKgA0FQ1fL6IHxC6yim
|
||||
DFhL6cECgYEA8pTZ0VE2UdYuXTxvkiGsdgebkh3kxiy25PwjSzW18q7WThoZrErv
|
||||
+ggzYY6DKLH430lbmVeDUl9yBasr8AeJMgI+lcxDkqUyUJiWJEQtW2pLVjcv3JHE
|
||||
0ixK5knzEEDsZUZa9DsCx3PVmylJw64qk+QnRjFXfxkTo+nWpbZrxTECgYEA2lsd
|
||||
tY0blBM9xpRHYu58C7muMLwm7hlgxpAlG7lFQAYr7XOghAx7r+sDoAzx0f7w5/mQ
|
||||
y2W9vKlJeaU0nzwohsSIt7/bU81+lx3MBtR2DEjsTRTF4zJ760HFf4raFZGEeiS4
|
||||
j2e5Z02lVXw+5J3m8DJkjxyNtIwPGHJEKiquAd0CgYB7baWOzaW36iTZJ+EVF7Eq
|
||||
tSBBLpizBRliVbCXmhKkErXUM4+QjOih7f5Gyz6NPFEHO8oxsceN6CaaH8hRb2Qt
|
||||
X9r8WVyghxGc1KbAeTgi5WjDy3y83CarUgIiPspAIOindy7cShJV7ehn9JAl0r6z
|
||||
VUlue7irYNUPd/HRi4o2YQKBgHrPXHpMDwLNf6U8qJngACyoFmyaplqsM136nKRn
|
||||
I6fK0NIQgmtCih57U+Kk5S1y8hPGrcV4R6rgm86rOFmHAFQsHakbY0RTA6wCuknt
|
||||
HSfzq9P+pv4N2tyKdYYylk4jNhtso9EkSYbsiNz3sHfsx4K5FQ3YxWqSi7r4KZZ9
|
||||
wriRAoGBAK6huxSeKGqwh/w/QNmdMQPgJU2nso4ZAQZ0hrvhq0frwMRzfrdVktCB
|
||||
KfxwCasNgyg7faVoAPlzAiraNkRnPHGRYqnXs2qX0rf3KU1VT6974dU2j8tOhBQ9
|
||||
qr+nDCPe9thRzkGZcRNIQllznWVo0iwi+yXew0jxBPLhxIMVbx1c
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
Binary file not shown.
BIN
Vagrant/resources/splunk_server/lookup-file-editor_305.tgz
Normal file
BIN
Vagrant/resources/splunk_server/lookup-file-editor_305.tgz
Normal file
Binary file not shown.
71
Vagrant/resources/splunk_server/macros.conf
Normal file
71
Vagrant/resources/splunk_server/macros.conf
Normal file
@@ -0,0 +1,71 @@
|
||||
[sysmon]
|
||||
definition = index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
|
||||
iseval = 0
|
||||
|
||||
[windows-app]
|
||||
definition = index=wineventlog source="WinEventLog:Application"
|
||||
iseval = 0
|
||||
|
||||
[powershell]
|
||||
definition = index=powershell OR (index=wineventlog source="WinEventLog:Windows PowerShell" OR source="WinEventLog:Microsoft-Windows-PowerShell/Operational")
|
||||
iseval = 0
|
||||
|
||||
[windows-security]
|
||||
definition = index=wineventlog source="WinEventLog:Security"
|
||||
iseval = 0
|
||||
|
||||
[pan_threat]
|
||||
definition = index=pan_logs sourcetype="pan:threat"
|
||||
iseval = 0
|
||||
|
||||
[domain]
|
||||
definition = WINDOMAIN
|
||||
iseval = 0
|
||||
|
||||
[windows]
|
||||
definition = index=wineventlog source="WinEventLog:System" OR source="WinEventLog:Security"
|
||||
iseval = 0
|
||||
|
||||
[windows-system]
|
||||
definition = index=wineventlog source="WinEventLog:System"
|
||||
iseval = 0
|
||||
|
||||
[no-domain]
|
||||
definition = "WINDOMAIN\\*"
|
||||
iseval = 0
|
||||
|
||||
[process_create_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_process_create_whitelist.csv | fields mitre_technique_id host_fqdn user_name process_path process_parent_path process_command_line hash_sha256]
|
||||
iseval = 0
|
||||
|
||||
[network_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_network_whitelist.csv | fields mitre_technique_id host_fqdn user_name dst_ip dst_port src_ip process_path]
|
||||
iseval = 0
|
||||
|
||||
[process_access_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_process_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path target_process_path process_granted_access]
|
||||
iseval = 0
|
||||
|
||||
[image_load_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_image_load_whitelist.csv | fields mitre_technique_id host_fqdn process_path driver_loaded driver_is_signed driver_signature driver_signatureStatus]
|
||||
iseval = 0
|
||||
|
||||
[file_access_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_file_access_whitelist.csv | fields mitre_technique_id host_fqdn process_path file_path]
|
||||
iseval = 0
|
||||
|
||||
[registry_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_registry_whitelist.csv | fields mitre_technique_id host_fqdn event_type process_path registry_key_path registry_key_details]
|
||||
iseval = 0
|
||||
|
||||
[pipe_created_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_pipe_created_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
|
||||
iseval = 0
|
||||
|
||||
[wmi_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_wmi_whitelist.csv | fields mitre_technique_id host_fqdn process_path pipe_name]
|
||||
iseval = 0
|
||||
|
||||
[remote_thread_whitelist]
|
||||
definition = search NOT [| inputlookup threathunting_remote_thread_whitelist.csv | fields mitre_technique_id host_fqdn process_name target_process_path target_process_address]
|
||||
iseval = 0
|
||||
Binary file not shown.
Binary file not shown.
BIN
Vagrant/resources/splunk_server/threathunting_11.tgz
Normal file
BIN
Vagrant/resources/splunk_server/threathunting_11.tgz
Normal file
Binary file not shown.
Reference in New Issue
Block a user